On Fri, 2018-07-06 at 10:55 +0200, Sumit Bose wrote:
this makes SSSD assume that the user is not a member of any group.
Please try to set 'ldap_use_tokengroups=False' (see man sssd-ldap for
details) and check if the group memberships are reported more
reliable.
Afaik the issue with the tokenGroups might indicate that the used AD
DC
has issues reaching a Global Catalog server.
I've been talking to some people here more familiar with AD than I am.
They say that there is a setting in AD that prevents reading of
tokenGroups without a permission change. This is a behavior that is a
remnant from pre-Windows 2003 AD controllers. My machine needs to be
added to a Windows Authorization Activation Group to get the right
permissions.
I don't fully understand, but it seems as though tokenGroup is a
privileged property, and until I have the right permissions, I won't be
able to access this property, which is probably why secondary groups
are not working.
Once I have been put in the new group, I'll let you know if that
resolves the issue.
--
John Ratliff
Research Storage / UITS / Pervasive Technology Institute
Indiana University |
https://pti.iu.edu